International Cooperation:

2:30-4:00, Tuesday 15 September 2015

Opportunities & obstacles of sharing of

information across borders

Introduction

• Session Facilitator: Jamie Clark General Counsel, OASIS

• Ken Ducatel Chief Information Security Officer, European Commission

• Ryuichi Hirano Counsellor, National center of Incident readiness and Strategy for Cybersecurity (NISC), Cabinet Secretariat, Government of Japan

• Adam Sedgewick Senior Information Technology Policy Advisor, National Institute of Standards and Technology

Informatics

Information Sharing & Reporting

for Cybersecurity in the EU context

Ken Ducatel

European Commission - CISO

3

Informatics

The EU Context

4

• Legislative requirements for breach notification

• Breach notifications for telcom providers (already law since 2009 Art 13a Framework Dir and Art 4 of e-privacy Dir)

• eIDAS Art 15 for trust service providers

• NIS Directive and General Data Protection Regulation proposals still under discussion

• Information sharing

• Member States (NIS Directive proposals)

• ENISA: providing cyber threat intelligence and capacity building

• Between EU institutions (CERT-EU)

• Inside the European Commission

Informatics

5

Breach notifications by law (NIS directive):

• operators of critical infrastructures in some sectors (financial services, transport, energy, health),

• enablers of information society services (app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks)

• and public administrations

must adopt risk management practices and report (notify) national authorities major security incidents on their core services.

Informatics

Exchange of threats, know-how and incidents

6

a) NIS Directive: creation of a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews.

b) European Commission: CISO/DG DIGIT; the Directorate for Security and other Local IS Officers

c) ENISA (European Union Network and Information Security Agency):

d) CERT-EU: Works for the 60+ EU Institutions and Agencies

Informatics

7

IT Security in the EU Institutions : Organisationally complex (source RAND for the EP 2013) 8

DG HR & Sec

Informatics

9

Informatics

10

Set-up

EU Institutions’ own CERT

Created 6/2011, operational four months later

Supports 60+ entities

Supporting defense against targeted cyber threats

Single point of contact

Informatics

CERT-EU Partners –Peers

Update National Cybersecurity Framework of Japan

The Basic Act on Cybersecurity Government Organization

Cabinet of Japan

Information Security Policy Council

NISC

IT Strategic Headquarters (Director-General：Prime

Minister)

NSC (Chair：Prime Minister)

NISC

Cabinet of Japan

IT Strategic Headquarter

s NSC

Cybersecurity Strategic

Headquarters

(Director-General：Chief Cabinet Secretary)

Cabinet Order

Cooperation

Cooperation

After full enforcement of the Act.(9 January 2015 ～)

1. General Provisions Purpose/Definition/Basic Principles/Responsibility…

2. Cybersecurity Strategy Comprehensive and effective promotion of cybersecurity policy Cabinet decision/Report to the Diet

3. Basic Policy Assurance at Administrative Organs Assurance at Critical Infrastructure Operators Facilitation of voluntary activity of Private enterprises Cooperation with multiple stakeholders Crackdown on cybercrime and prevention of damage Action for matters which may critically affect the National security Enhancement of Industrial development Promotion of R&D, Education, International Cooperation Development of Human resources

4. Cybersecurity Strategic Headquarters The Headquarters shall be established under the Cabinet National cybersecurity strategy, evaluation, coordination

Enactment of the Bill at 6th November 2014 Enforcement from 9th January 2015

Definition

National center of Incident readiness and Strategy for Cybersecurity

National Information Security Center

１ Understanding of Cyberspace

５ Organization

４ Policy Measure

２ Objective

Develop and advance free, fair, and secure cyberspace subsequently contribute to:

Blessings of Cyberspace: Generating infinite values, essential foundation for our socio-economic activity

“Hyper-connected and converged society” is coming

Cyber threats are becoming more serious and being perceived as national security matters

2) Realizing a Safe and Secure Society for the People

3) Peace and Stability of International Community

and Japan’s National Security

1) Socio-Economic Vitalization and Sustainable Development

~ Foundation for 2020, further ~ ~ From Cost to Investment ~

３ Principle 1. Free Flow of Information 2. Rule of Law 3. Openness 4. Self-governance 5. Cooperation among Multi Stakeholders

Proactive / Initiative / Converged society

Cross Cuttin

g

■Creating Secure IoT System New industry creation by safe IoT

■Promoting Management with cybersecurity mindset Awareness raising of senior executives

■Improving Business Environment Promoting cybersecurity business

~ Proactive contribution to peace in cyberspace ~

■Protecting People and Society Enhancing capability and countermeasure

■Protecting CII Enhancing information sharing public with private

■Protecting Governmental Agencies Strengthening defense and management audit

■Ensure Japan’s National Security Improving Cyber capabilities

■International Peace and Stability Rule of law in cyberspace, confidence building

■International Partnership Cooperation in a wide range of area

■R&D Improving detection and protection capabilities

■Human Resources Developing multi-talent, practical training, promoting skill standards

Enhancement cooperation with public and private sector, Institution building toward the Tokyo Olympic and Paralympic Games in 2020

New “Cybersecurity Strategy of Japan” (Outline)

1) Socio-economic vitalization 2) Safe and secure society 3) International Peace and stability, National security

International Cooperation in

Cybersecurity and Standards

15 September 2015

Adam.Sedgewick@nist.gov

Obama Administration’s Priorities on Cyberspace

1. Protecting the country's critical infrastructure — our most important

information systems — from cyber threats.

2. Improving our ability to identify and report cyber incidents so that

we can respond in a timely manner.

3. Engaging with international partners to promote internet freedom

and build support for an open, interoperable, secure, and reliable

cyberspace.

4. Securing federal networks by setting clear security targets and

holding agencies accountable for meeting those targets.

5. Shaping a cyber-savvy workforce and moving beyond passwords in

partnership with the private sector.

15

• Non-Regulatory role in cybersecurity began in 1972 with the development of the Data

Encryption Standard – began when commercial sector also has a legitimate need for

cryptography, including in ATMs.

• Using widely-accepted standards helps create competitive markets around market

need through combinations of price, quality, performance, and value to consumers. It

then promotes faster diffusion of these technologies throughout industry.

• Ensure timely availability of standards, and associated testing, that address

identified NIST IT Laboratory priorities, including national priorities established in

statute or administration policy;

• Achieve cost-efficient, timely and effective solutions to legitimate regulatory,

procurement and policy objectives;

• Promote standards and standardization systems that enable innovation and foster

US competitiveness; and

• Facilitate international trade and avoid the creation of unnecessary obstacles to

trade.

16

Cybersecurity at NIST

• NIST has worked on security automation and continuous monitoring

standards and test tools. The standards support:

• Identification of IT Assets

• Awareness of the operational state of computing devices

• Standardized security reference data

• Analysis of security control effectiveness measures

• NIST helped develop Security Content Automation Protocol (SCAP)

and move it to the IETF standards body.

• NIST hosts the National Vulnerability Database (NVD) to maintain a

database of security checklists, security related software flaws,

misconfigurations, product names, and impact metrics.

• Draft SP 800-150, Guide to Cyber Threat Information Sharing to

provide organizations with guidance on establishing, participating in,

and maintaining information sharing relationships throughout the

incident response life cycle.

Key NIST Information Sharing Projects

17

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting

safety, security, business confidentiality, privacy, and civil liberties”

President Barack Obama Executive Order 13636, Feb. 12, 2013

• The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure

• Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work

18

International Aspects, Impacts, and Alignment of the Cybersecurity Framework

• Because the Framework references globally accepted

standards, guidelines and practices, organizations inside

and outside of the United States can use the Framework

to efficiently operate globally and manage new and

evolving risks.

• “Cybersecurity risks and threats are a global problem,

and the more the Framework can be socialized globally,

especially among governments and those agencies that

deal with cyber issues, the better.” - ISACA

• We are working with standards developing

organizations, industry, and sectors to ensure the

Cybersecurity Framework remains aligned and

compatible with those existing and developing standards

and practices.

19

• To ensure cybersecurity and resiliency of U.S. information and

communications systems and supporting infrastructures, we must

develop and use robust cybersecurity standards and assessment

schemes

• Four key (and interrelated) objectives for standards and

assessment:

• Enhancing national and economic security and public safety

• Ensuring standards and assessment tools are technically sound

• Facilitating international trade

• Promoting innovation and competitiveness

• Standards developing bodies that develop standards through open,

transparent, impartial, and consensus-based processes and are

globally relevant are strongly preferred

NISTIR 8074: Report on Strategic USG Engagement in International Cybersecurity Standards

20

The National Institute of Standards and Technology Web site is

available at http://www.nist.gov

NIST Computer Security Division Computer Security Resource

Center is available at http://csrc.nist.gov/

The Framework for Improving Critical Infrastructure Cybersecurity

and related news and information are available at

www.nist.gov/cyberframework

For additional Framework info and help cyberframework@nist.gov

Resources Where to Learn More and Stay Current

#BorderlessCyber

Questions ?